Analysis of SQL injection prevention using a proxy server



Similar documents
EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

THE OPEN UNIVERSITY OF TANZANIA

Blindfolded SQL Injection. Written By: Ofer Maor Amichai Shulman

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

Web Application Security

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Manipulating Microsoft SQL Server Using SQL Injection

What is Web Security? Motivation

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

Advanced Web Security, Lab

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Guidelines for Web applications protection with dedicated Web Application Firewall

SECURING APACHE : THE BASICS - III

White Paper. Blindfolded SQL Injection

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

Thick Client Application Security

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Protecting Your Organisation from Targeted Cyber Intrusion

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Hack Your SQL Server Database Before the Hackers Do

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Penetration Testing with Kali Linux

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Yuan Fan Arcsight. Advance SQL Injection Detection by Join Force of Database Auditing and Anomaly Intrusion Detection

Passing PCI Compliance How to Address the Application Security Mandates

Check list for web developers

Web Applications Security: SQL Injection Attack

CMP3002 Advanced Web Technology

AUTOMATIC DETECTION OF VULNERABILITY IN WRAPPED PACKAGES IN ORACLE

SQL Injection for newbie

Penetration Test Report

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Intrusion Protection against SQL Injection Attacks Using a Reverse Proxy

Application Intrusion Detection

Exposed Database( SQL Server) Error messages Delicious food for Hackers

Security Test s i t ng Eileen Donlon CMSC 737 Spring 2008

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

WHITEPAPER. Nessus Exploit Integration

(WAPT) Web Application Penetration Testing

Penetration Testing Report Client: Business Solutions June 15 th 2015

Testing Web Applications for SQL Injection Sam Shober

Attack Methodology Analysis: SQL Injection Attacks

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Security and Control Issues within Relational Databases

Adobe Systems Incorporated

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

BLIND SQL INJECTION (UBC)

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

SQL Injection Protection by Variable Normalization of SQL Statement

Securing SharePoint 101. Rob Rachwald Imperva

ICTN Enterprise Database Security Issues and Solutions

Detection of SQL Injection and XSS Vulnerability in Web Application

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

Web Intrusion Detection with ModSecurity. Ivan Ristic

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Where every interaction matters.

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

FREQUENTLY ASKED QUESTIONS

Securing and Accelerating Databases In Minutes using GreenSQL

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Time-Based Blind SQL Injection using Heavy Queries A practical approach for MS SQL Server, MS Access, Oracle and MySQL databases and Marathon Tool

WebCruiser Web Vulnerability Scanner User Guide

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

The Top Web Application Attacks: Are you vulnerable?

Automating SQL Injection Exploits

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Hosts HARDENING WINDOWS NETWORKS TRAINING

Checking SQL Server or MSDE Version and Service Pack Level

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Application Design and Development

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

STABLE & SECURE BANK lab writeup. Page 1 of 21

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

ADO and SQL Server Security

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

Using Open Source Software to Manage Policies and Clinical Guidelines. Library & Knowledge Service Derby Teaching Hospitals NHS Foundation Trust

How I hacked PacketStorm ( )

Using Nessus In Web Application Vulnerability Assessments

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Overview of SQL Injection

Transcription:

Computer Science Honours 2005 Project Proposal Analysis of SQL injection prevention using a proxy server By David Rowe <g01r0806@ru.ac.za> Supervisor: Barry Irwin <b.irwin@ru.ac.za> Department of Computer Science, Rhodes University Monday 14 March 2005 Page 1 of 12

1. The Project Overview and Statement of the Problem SQL Injection is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database. An attacker is able to insert a series of SQL statements into a 'query' by manipulating the data input. For example, by adding a single quote ( ) to the parameters, it is possible to cause a second query to be executed with the first (Finnigan, 2002) (Anley, 2002). A typical SQL statement is: select id, forename, surname from authors where forename = 'Joe' and surname = Bloggs An important point to note is that the string literals are delimited by single quotes. The user may be able to inject some SQL if the user provides: Forename: Jo'e Surname: Bloggs The query string becomes: select id, forename, surname from authors where forename = Jo e and surname = Bloggs The database engine will return an error: Line 1: Incorrect syntax near 'e'. In ASP, a critical vulnerability is the way in which the query string is created. For example: var SQL = "select * from users where username = '" + username + "' and password = '" + password + "'"; If the user specifies the following: Username: ; drop table users--, the 'users' table will be deleted, denying access to the application for all users (Anley, 2002). Page 2 of 12

An attack against a database using SQL Injection could be motivated by two primary objectives: To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced. To gain access to an organisation s host computers via the machine hosting the database (Finnigan, 2002). SQL injection is a relatively simple technique and on the surface protecting against it should be fairly simple; however, auditing all of the source code and protecting dynamic input is not trivial, neither is reducing the permissions of all applications users in the database itself. It is not easily possible to detect SQL injection with an audit of the SQL commands executed. But rather an audit of the errors generated when the hacker is trying to gain access to the database. These error messages can be as useful to the hacker as they are to the database administrator building up database queries and stored procedures (Finnigan, 2003). The main project goals are to: Analyse the structure of SQL query commands Build a parser that will check allowable patterns of SQL statements Construct a list of common SQL injection commands Create a proxy server that will alert the database administrator of possible SQL injection commands. Prevent a SQL injection attack to a database using this proxy server. Prove that SQL injection can be prevented using the filter developed to work on the proxy server. Page 3 of 12

2. Proposed Breakdown of Project Activities Below is an outline of intended project implementation. First Term Put together a project web page which will include a project synopsis, timeline, presentations, material for literature survey and relevant links. Reading Background and investigation of common SQL injection techniques. Update research blog. Identify the problem. Application design using UML. Mid-Semester Holiday Gather information for literature survey. Prepare for oral presentation to include a demonstration. Second Term Add filtering properties to the proxy server. Third Term Poster presentation. Fourth Term Draft and Final Paper. Oral Presentation. Final project write up. Milestones for the project are detailed below in table 1. 2005 Honours Milestones Project Targets 7-Feb 14-Feb 21-Feb 28-Feb 7-Mar 14-Mar project proposal Finish proposal Page 4 of 12

21-Mar Oral presentation April Vac 28-Mar Working proxy server 4-Apr 10 min oral 11-Apr Add filter properties 18-Apr 25-Apr 2-May Draft Literature survey 9-May 16-May 23-May 10 page lit survey 30-May Swot Week 6-Jun Exams Oral presentation 25-Jul 15 min oral Poster 1-Aug Draft paper 8-Aug 15-Aug 22-Aug Poster Final Paper 29-Aug Final oral 5-Sep 12-Sep September Vac 19-Sep 5-7 page draft paper 26-Sep final paper 3-Oct First Chapter Drafts 10-Oct 17-Oct 24-Oct 31-Oct Final Oral 7-Nov Project Hand In Table 1: Table of milestones and targets for the honours course 3. Literature Survey SQL injection is not a new problem. The date of its discovery is uncertain. However, in the last few years, SQL injection attacks have been on the rise (Maor and Shulman, 2003). Maor and Shulman (2003) outline research that has proved that suppressing error messages going back to the security by obscurity approach cannot provide a Page 5 of 12

real solution to application level risk. Applications have still proven to be vulnerable despite all efforts to limit information returned to the client. There are a few applications that have been developed by companies in an effort to provide a solution to this problem. Some have been outlined below. Imperva Inc. has provided SecureSphere which uses advanced anomaly detection, event correlation, and the broadest set of application level signature dictionaries to protect web applications and databases from known and unknown attacks (Imperva Inc., 2004). ModSecurity is an open source intrusion detection engine for web applications, which may provide helpful tips on how to detect SQL injection. Ristic (2003) has developed ModSecurity/Java which is a Servlet 2.3 filter that stands between a browser and the application, monitors requests and responses as they are passing by, and intervenes when appropriate in order to prevent attacks. AirLock combines secure reverse proxy with intrusion prevention, content filtering, user authentication enforcement, and application-level load balancing and failover (Seclutions, 2003). There is data that shows that injection flaws has been sixth in the top ten vulnerabilities for the past two years and that 62% of web applications are vulnerable to SQL injection attacks (OWASP, 2004) (WebCohort Inc. 2004). Microsoft (2003b) offers the following tips for preventing SQL injection: 1. Validate all user input before transmitting it to the server. 2. Permit only minimally privileged accounts to send user input to the server. 3. Run SQL Server itself with the least necessary privileges. Many white papers have been written about preventing SQL injection. Kc, Keromytis, and Prevelakis (2003) provide evidence that there has been a lot of development and Page 6 of 12

research in the area of how to detect and test sites for SQL injection. A few good papers will form the foundation of analysis of the problem domain. The presentation by Hotchkies (2004) at a Black Hat USA 2004 convention outlines automated blind SQL injection techniques. He mentions that string comparison is suitable for error based SQL injection but not blind SQL injection. He also mentions that there are three kinds of SQL injection: - Redirecting and reshaping a query Error message based Blind SQL injection Microsoft (2003a) provides a good background into the problem of SQL injection. It puts the whole problem into context. The site provides explanations of the components of SQL injection strings and the syntax choices. The examples include SQL injection attacks, creating a secure data access component using Java s regular expressions. Beyond Security Ltd. (2002) provides concise examples of SQL injection and database error messages as well as methods on how to prevent SQL injection. The white paper by Anley (2002) covers research into SQL injection as it applies to Microsoft Internet Information Server/Active Server Pages/ MS SQL Server platform. It addresses some of the data validation and database lockdown issues that are related to SQL injection into applications. The paper provides examples of SQL injection attacks and gives some insight into.asp login code and query error messages used to exploit databases. Finnigan (2003) goes through worked examples of SQL injection attacks in his white paper on Detecting SQL Injection in Oracle. It focuses on detecting SQL injection by auditing the error message log files. It attempts to highlight the fact that during a Page 7 of 12

hacking attempt, the error messages leave a trail that can help expose the vulnerabilities of the database being attacked. Spett (2002) of SPI Dynamics presents a paper with describing SQL injection in general. It goes through some common SQL injection techniques and proposes a solution to the problem. The paper provides a list of database tables that are useful to SQL injection in MS SQL Server, MS Access and Oracle. It also provides examples of SQL injection using select, insert, union, stored procedures. The examples work with a web service that returns information to the user. This paper deals primarily with the structure of the SQL injection commands and guides to overcoming possible errors returned by the database. It should be noted that SQL injection can still occur if there is no feedback to the client. So, one could create a new valid user in a database without receiving errors and then log on. Grossman (2004), CEO of White Hat Security, Inc., in his presentation at the Black Hat Windows Security 2004 convention, outlines the challenges of scanning web application code for vulnerabilities. He points out that the scanner is restricted to looking for classes of vulnerabilities such as SQL injection or cross site scripting. The reason for this being that the benefit of known security issues is lost because the remote scanner does not have access to the source code. There is no way to provide everyone with the minimum privileges necessary. Thus the paper explores some simple techniques in extracting the logging and trace data that could be used for monitoring. This paper is an extension of a two-part paper on investigating the possibilities for an Oracle database administrator to detect SQL injection. This paper provides many scripts on SQL injection and extracting logs (Finnigan, 2003). Page 8 of 12

4. Design Considerations and Implementation Decisions The development languages will be C sharp. The operating system, development and database platforms will be Microsoft based. The reason for this is to prevent compatibility issues. The implementation phase may require the design of a grammar that can be fed into a code generator to produce a parser to act as a filter. The current databases return the results of a statement to the client. The request and results are done by a link from the client to the database back again. This project aims to eliminate the possibility of SQL injection by the use of a proxy server, which will be placed in between the two communicating devices. This will allow for the filtering of possible SQL injection attempts. The main step is illustrated in Figure 1 below. Figure 1: The Main Implementation Step Page 9 of 12

Figure 2: The function of the proxy server 5. The Expected Results In order to accomplish the previously mentioned project goals, the final product should consist of: A proxy server, A SQL query parser, Prevention of a SQL injection attack by filtering the queries using the proxy server. 6. Possible Extensions The project could be extended to handle other databases such as MySQL, Oracle and Postgres as well as other operating systems. A further extension of the project could involve an investigation into the performance impact of the proxy server on data transfer (Beynon, Sussman and Saltz, 1999). Page 10 of 12

7. References Anley, C (2002) Beynon, M D, Sussman, A, and Saltz, J (1999) Beyond Security Ltd. (2002) Finnigan, P (2002) Finnigan, P (2003) Grossman, J (2004) Hotchkies, C (2004) Imperva Inc., (2004) Kc, G S, Keromytis, A D, and Prevelakis V (2003) Maor, O and Shulman, A (2003) Advanced SQL injection [Online]. Available: http://www.nextgenss.com/papers/advanced_sql_injection.pdf Performance impact of proxies in data intensive client-server applications. ACM Journal: Proceedings of the 13th international conference on Supercomputing, Rhodes, Greece. Pages: 383-390 ISBN:1-58113-164-X. [Online]. Available: http://portal.acm.org/citation.cfm?doid=305138.305216 SQL Injection Walkthrough [Online]. Available: http://www.securiteam.com/securityreviews/5dp0n1p76e.html SQL Injection and Oracle, Part One [Online]. Available: http://www.securityfocus.com/infocus/1644 Detecting SQL Injection in Oracle [Online]. Available:http://securityfocus.com/infocus/1714 The Challenges of Automated Web Application Scanning [Online]. Available: http://www.blackhat.com/html/bh-media-archives/bharchives-2004.html#windows-2004 Blind SQL Injection Automation Techniques [Online]. Available: http://www.blackhat.com/html/bh-media-archives/bh-archives- 2004.html#USA-2004 SQL injection attack prevention [Online]. Available: http://www.imperva.com/products/securesphere/attack_prevention/sql _injection.html Countering code-injection attacks with instruction-set randomization in Proceedings of the 10th ACM conference on Computer and communication security Washington D.C., pp. 272-280 [Online]. Available: http://doi.acm.org/10.1145/948109.948146 Blind SQL Injection [Online]. Available: http://www.imperva.com/application_defense_center/white_papers/bli nd_sql_server_injection.html Page 11 of 12

Microsoft (2003a) Microsoft (2003b) Ristic, I (2003) Seclutions A G, (2003) Spett, K (2002) The Open Web Application Security Project (OWASP), (2004) WebCohort, Inc., (2004) Secure Multi-tier Deployment [Online]. Available: http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp 3sec03.mspx Checklist: Security best practices [Online]. Available: http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp 3sec04.mspx ModSecurity/Java [Online]. Available: http://www.modsecurity.org/products/modsecurity/java/index.html AirLock - application security gateway [Online]. Available: http://www.seclutions.com/en/downloads/airlock_overview_nov_2 003..pdf SQL Injection: Are Your Web Applications Vulnerable? [Online].Available: http://www.spidynamics.com/whitepapers/whitepapersqlinjection.p df Top Vulnerabilities in Web Applications [Online]. Available: http://umn.dl.sourceforge.net/sourceforge/owasp/owasptopten200 4.pdf Only 10% of Web Applications are Secured Against Common Hacking Techniques [Online]. Available: http://www.imperva.com/company/news/2004-feb-02.html Page 12 of 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information